Emerging Tech

How to create an e-discovery employee awareness program

Tom Olzak looks at what may be the most important element of an e-discovery program: employee awareness. He outlines the objectives and details how to create an e-discovery employee awareness program.

In the previous installments of our e-discovery series, we discussed e-discovery challenges facing organizations and explained how to manage electronically stored information (ESI) so it's available when needed. Check out the first four parts of this series:

We wrap up this series with a look at another piece to an effective e-discovery process: people. E-discovery awareness is similar to general security awareness, and the challenges are the same.

Objectives of an employee awareness program

Don't confuse awareness programs with training. Training deals with developing specific skill sets. The key objective of an awareness program is to focus employees' attention on understanding the concept of discovery and how to perform day-to-day tasks when legal holds are in place. An awareness program supplements and re-enforces training efforts. Without employee awareness, spoliation of discoverable ESI is probable, putting the organization at an unnecessary level of risk.

You can't make employees actively work to maintain and protect the information for which they're responsible -- they have to want to comply. It's up to you to help them understand why it's important to them and the company. Some of the topics you should consider covering an in e-discovery employee awareness program include the following:

  • What is e-discovery?
  • What is the company's e-discovery and legal hold policy?
  • How do the policies translate into practical, day-to-day activities?
  • What are the supporting processes?
  • What regulations (local, state, and Federal) apply?
  • How would failure to comply with an e-discovery request affect the business?

Another important objective of an awareness program is for employees to understand that all levels of management fully supports the company's e-discovery policy. Without strong evidence of management support, your effort is weakened, and employees usually won't be very enthusiastic about learning and retaining this information.

Creating an e-discovery employee awareness program

There are four steps to reaching a working awareness program: design the program, develop or purchase awareness materials, implement the program, and perform post-implementation activities. See Figure A. Figure A

Step 1: Design the program

The design process begins with a needs assessment. Figure B shows the various inputs. Figure B

The graphic shows categories from which you should solicit inputs. Drilling down into each category, you should use the following guidelines to obtain the level of detail you need to document and prioritize the proposed topics:

  • Recent incidents: This will give you insight into weaknesses in employee knowledge of processes or e-discovery concepts in general.
  • Employee concerns: Employees who are already aware of e-discovery fundamentals can be a good source of information about day-to-day problems related to legal holds or other discovery-related activities.
  • Management concerns: Management's perspective is usually more operational or strategic. Their concerns help to complete the picture.

As you design the employee awareness program, keep in mind the following four points:

  1. Define training goals: Using the results of the needs assessment, define the goals of the program. What concerns are you trying to address? Are you including overall policy, process, standards, and guidelines? How many awareness/training sessions are required to meet your goals?
  2. Identify target audiences: Awareness presentations should be delivered to three distinct groups: all employees, management, and IT employees. Presentations to all employees include basic concepts of e-discovery and management's expectations. Management sessions should focus on policies and compliance oversight. Material presented to IT personnel must include what information should be readily available for discovery, electronic records retention issues, and where to store various types of information .
  3. Deliver the message on a frequent basis: Holding one-time sessions and assuming your work is done is a dangerous approach. Over time, the impact awareness sessions have on employee behavior diminishes. Repetition is the key to awareness maintenance. The types of awareness materials you select and your organization's culture play a significant role in how often you bring employees back into the classroom. For example, use of posters, table tents in the cafeteria, or weekly awareness e-mail might result in limiting classroom sessions to once per year.
  4. Ensure you have management support: Your awareness program will never meet its goals without strong management support. Funding, employee attendance at awareness sessions, and employee perception of the importance of e-discovery all depend on support across all levels of management.

Step 2: Develop or purchase awareness materials

Whether you buy or develop awareness materials internally is not as important as effectively delivering your message. Ensure your materials are easy to use and scalable to large audiences.

Step 3: Implement the program

Once the program design is complete, it's time to roll it out. The first step is communication. Let employees know what to expect and inform them of the importance of e-discovery awareness. In other words, wrap some context around the message. Although you might have strong management support for the concept of e-discovery awareness, make sure all levels of management are enrolled in the actual delivery method.

Step 4: Perform post-implementation activities

After you deliver the initial message, it's important to measure the effectiveness of your approach. Follow these steps to determine its effectiveness, gather feedback, and strengthen the message:

  • Monitor for compliance: You might have to get creative to maintain metrics on how employees are doing with regard to compliance. In a large organization (with several legal holds imposed in any given year), this may not be too difficult; keeping communication open between IS and Legal should provide enough insight. Smaller organizations might not know how they're doing for years, when the rare discovery request hits the door.
  • Obtain stakeholder feedback: Using the same inputs as Figure B, solicit stakeholder feedback about the perceived success of the awareness program.
  • Adjust the program to address weaknesses: Based on feedback, make adjustments to your program materials and delivery methods.

The final word

This completes the series on e-discovery. We've examined the need for e-discovery processes and the consequences for organizations that ignore the inevitability of a discovery request. We also looked at how to maintain control of discoverable information, via both technology and employee awareness.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

0 comments

Editor's Picks